Initially we had a long list of “From ends with” filters like below trying cut down on our most common spam sources.

From ends with .ru
From ends with .pk
From ends with .in
From ends with .de
From ends with .jp
From ends with .kr

Recently I noticed those rules were effectively blocking those TLDs. It did not take long to figure out why. Here are example FROM headers email systems might encounter.

From: "John Doe" <john@example.com>
From: Jane <jane@example.com>
From: bob@example.com

The problem with using “From ends with” is the header frequently ends with a greater-than symbol. So we decided to use “From matches regex” instead.

From matches regex \.(cn|pk|ru|in|de|jp|kr)>?$

That regular expression matches undesirable TLDs, with an optional greater-than symbol “>” on the end. Now any of the following FROM headers will be matched by our new filter.

From: someone@example.jp
From: "Bad Guy" <hacker@example.ru>
From: Hello <phishing@example.in>

Warning: You should only block TLDs when positive you won’t receive legitimate email from such a massive block of domains. Since we block .IN (India) domains, we also will not receive emails from domains like linked.in.

Bonus: Leverage “matches regex” to replace multiple “contains” rules.

Another filter we use for auto-rejecting pretty obvious spam is checking the FROM header for specific words. While you can achieve the same results like this.

From contains funding
From contains lending
From contains capital
From contains finance

You can do the same thing with this one-liner.

From matches regex (funding|lending|capital|finance)